<?xml version="1.0" ?>
<cherrytree>
	<node custom_icon_id="0" foreground="" is_bold="False" name="ctfspb" prog_lang="custom-colors" readonly="False" tags="" ts_creation="1611169982.72" ts_lastsave="1611387190.51" unique_id="13">
		<rich_text></rich_text>
		<node custom_icon_id="0" foreground="" is_bold="False" name="reverse kids" prog_lang="custom-colors" readonly="False" tags="" ts_creation="1611169993.1" ts_lastsave="1611170034.13" unique_id="14">
			<rich_text>forkbomb.ru</rich_text>
			<node custom_icon_id="0" foreground="" is_bold="False" name="s1 s2" prog_lang="custom-colors" readonly="False" tags="" ts_creation="1611170034.13" ts_lastsave="1611386988.23" unique_id="15">
				<rich_text>s1.exe
with IDA - password here
&gt;VaL1DP@$$w0rD
_________________________________________
s2.exe - same
&gt;qwerty
_________________________________________
s3.exe

any leng but here is the rule
v5 = 117;
  for ( i = 0; i &lt; v6; ++i )
    v5 = (Str[i] + 1) * v5 % 256;
  if ( v5 == 118 )
_________________________________________
s4.exe

len &gt; 5
watch code - The sequence of addresses in the verification is important
answer is c14aeB
_________________________________________
s6.exe

len &gt; 6
answer is ?2Fw13D
_________________________________________
s7.exe

code:
 if ( v4 == 6 &amp;&amp; Str[5] == 'x' )
  {
    v3 = 1;
    for ( i = 1; i &lt; v4; ++i )
    {
      if ( Str[i] != i + Str[i - 1] )
	  
len = 6 
char(input[5]) = 120  =&gt; 120 in hex??

input[i] = i + input[i-1]   =&gt; all 6 symbols must be like this numbers:

ascii(char) &lt;-&gt; decimal   (</rich_text>
				<rich_text link="webs https://onlineasciitools.com/convert-decimal-to-ascii)">https://onlineasciitools.com/convert-decimal-to-ascii)</rich_text>
				<rich_text>
x = 120 = 5 + str[4] =&gt; str[4] = 115 = s 
s = 115 = 4 + str[3] =&gt; str[3] = 111 = o
o = 111 = 3 + s[2] =&gt; s[2] = 108 = l
l = 108 = 2 + s[1] =&gt; s[1] = 106 = j
j = 106 = 1 + s[0] =&gt; s[0] = 105 = i

example: 
i:012345
  ijlosx  -&gt; correct answer
_________________________________________
</rich_text>
			</node>
		</node>
	</node>
	<node custom_icon_id="0" foreground="" is_bold="False" name="other" prog_lang="custom-colors" readonly="False" tags="" ts_creation="1611387181.87" ts_lastsave="1611387194.05" unique_id="16">
		<rich_text></rich_text>
		<node custom_icon_id="0" foreground="" is_bold="False" name="hackerdom" prog_lang="custom-colors" readonly="False" tags="" ts_creation="1611387208.11" ts_lastsave="1611387213.68" unique_id="17">
			<rich_text></rich_text>
			<node custom_icon_id="0" foreground="" is_bold="False" name="crackme" prog_lang="custom-colors" readonly="False" tags="" ts_creation="1611387213.69" ts_lastsave="1611387214.76" unique_id="18">
				<rich_text>crackme1.exe

result = a2;
  if ( a2 )
  {
    a1(a3);
    result = sub_401089(a1, a2 - 1, a3 + 4);
  }
  
 v5
 return(a2 ^ a1, 0, 10, input);
 
 v4
  return sub_401000(a1= a2 &amp;&amp; a1, a2= 1, a3= 10, a4= input));
  
sub_401000:

  if ( !a3 )
    return a2;

  return sub_401000(a1, a2= a1(a2, *a4), a3= a3 - 1, a4= a4 + 1);
  
  
 v4
 return sub_401000(a2 &amp;&amp; a1, 1, 10, input);</rich_text>
			</node>
		</node>
	</node>
	<node custom_icon_id="0" foreground="" is_bold="False" name="hackaday-u" prog_lang="custom-colors" readonly="False" tags="" ts_creation="1610826307.23" ts_lastsave="1611387181.87" unique_id="1">
		<rich_text>ghidra notes about - patching not working properly
better use x64dbg if need</rich_text>
		<node custom_icon_id="0" foreground="" is_bold="False" name="session-one" prog_lang="custom-colors" readonly="False" tags="" ts_creation="1610826313.05" ts_lastsave="1610828399.54" unique_id="2">
			<rich_text>useful links:

</rich_text>
			<rich_text link="webs https://onlinehextools.com/convert-hex-to-ascii">https://onlinehextools.com/convert-hex-to-ascii</rich_text>
			<rich_text>
</rich_text>
			<node custom_icon_id="0" foreground="" is_bold="False" name="c1" prog_lang="custom-colors" readonly="False" tags="" ts_creation="1610826319.02" ts_lastsave="1610826717.45" unique_id="3">
				<rich_text>pwn3@kali:~$ ./hackaday-u/session-one/exercises/c1 hackadayu
Correct! The password was hackadayu this whole time!

iVar1 = strncmp(*(char **)(param_2 + 8),&quot;hackadayu&quot;,__n);

it just compare
easy

solution:
hackadayu</rich_text>
			</node>
			<node custom_icon_id="0" foreground="" is_bold="False" name="c2" prog_lang="custom-colors" readonly="False" tags="" ts_creation="1610826749.9" ts_lastsave="1610827016.86" unique_id="5">
				<rich_text>if ((**(char **)(input + 8) == 'h') &amp;&amp; (*(char *)(*(long *)(input + 8) + 4) == 'u'))
+ len must be &gt;= 5

first char must be = ‘h’ and 5th (4th element from array) = ‘u’
other doesn't matter - any numbers or letters

pwn3@kali:~/hackaday-u/session-one/exercises$ ./c2 hoofu
Correct -- maybe we should pay attention to more characters... 

solution:
hoofu

h???u*

</rich_text>
			</node>
			<node custom_icon_id="0" foreground="" is_bold="False" name="c3" prog_lang="custom-colors" readonly="False" tags="" ts_creation="1610827014.19" ts_lastsave="1610828352.78" unique_id="6">
				<rich_text>len must be &gt;= 5

if ((uint)*(byte *)(*(long *)(input + 8) + 2) - (uint)*(byte *)(*(long *)(input + 8) + 3) == 0x20)

hex(3 symbol) - hex(4 symbol) from input  = 0x20

hex 0x20 = dec 32

lets
2 = 22
3 = 2

0x60 = `
0x30 = 0
0x25 = %
0x45 = E

&gt;&gt;&gt; hex(0x45 - 0x25)
'0x20'

pwn3@kali:~/hackaday-u/session-one/exercises$ ./c3 swE%kld
Correct! You figured it out ... looks like we have to upgrade our security...

solution:
swE%kld

??E%?*
</rich_text>
			</node>
			<node custom_icon_id="0" foreground="" is_bold="False" name="c4" prog_lang="custom-colors" readonly="False" tags="" ts_creation="1610826438.5" ts_lastsave="1610826666.06" unique_id="4">
				<rich_text>pwn3@kali:~/hackaday-u/session-one/exercises$ ./c4 jcemcfc{/w
Correct! You've entered the right password ... you're getting better at this!


answer in c++ code:
it compare hex values of chars in user input and in setted password

using ghidra I get 
if (&quot;hackaday-u&quot;[i] + 2 != (int)*(char *)((long)i + *(long *)(my-input + 8))) 

solution:
i char of user input must be +2 in hex = i char from </rich_text>
				<rich_text link="fold aGFja2FkYXktdQ==">hackaday-u</rich_text>
				<rich_text> word

so the correct answer is 
jcemcfc{/w
</rich_text>
			</node>
			<node custom_icon_id="0" foreground="" is_bold="False" name="legolas vs dobby" prog_lang="custom-colors" readonly="False" tags="" ts_creation="1610827289.28" ts_lastsave="1610828568.37" unique_id="7">
				<rich_text>dobby is elf_example itself
legolas called elf_example inside itself

</rich_text>
			</node>
		</node>
		<node custom_icon_id="0" foreground="" is_bold="False" name="session-two" prog_lang="custom-colors" readonly="False" tags="" ts_creation="1610828471.86" ts_lastsave="1610829442.4" unique_id="8">
			<rich_text></rich_text>
			<node custom_icon_id="0" foreground="" is_bold="False" name="variables-example" prog_lang="custom-colors" readonly="False" tags="" ts_creation="1610829442.4" ts_lastsave="1610876530.74" unique_id="9">
				<rich_text>len must be &gt;=8 
  
    while (i &lt; 8) {
      if ((char)((char)(XorMe &gt;&gt; ((byte)(i &lt;&lt; 3) &amp; 0x3f)) + globalVar[i] + '\x01') !=
          *(char *)(*(long *)(input + 8) + (long)i)) {

    
[XorMe]                            = DEADBEEFFACECAFEh
DEADBEEFFACECAFE

if ((char)((char)(DEADBEEFFACECAFEh &gt;&gt; ((byte)(i &lt;&lt; 3) &amp; 0x3f)) + globalVar[i] + '\x01') != *(char *)(*(long *)(input + 8) + (long)i)) 

DEADBEEFFACECAFEh &gt;&gt; ((i &lt;&lt; 3) &amp; 0x3f) + [i] + '\x01') = [i] + i

00100782 0f b6 00        MOVZX      len,byte ptr [len]=&gt;s_KeYpress_00100868          = &quot;KeYpress&quot;

&gt;&gt;&gt; (0&lt;&lt;3)&amp;0x3f = 0
&gt;&gt;&gt; (1&lt;&lt;3)&amp;0x3f = 8
&gt;&gt;&gt; (2&lt;&lt;3)&amp;0x3f = 16
&gt;&gt;&gt; (3&lt;&lt;3)&amp;0x3f = 24
...
&gt;&gt;&gt; (7&lt;&lt;3)&amp;0x3f = 56
&gt;&gt;&gt; (8&lt;&lt;3)&amp;0x3f = 0
&gt;&gt;&gt; (9&lt;&lt;3)&amp;0x3f = 8

⇒ it works in cycle with 8 symbols

globalVar = &quot;KeYpress&quot; (= 00100868 ?)

i from 0 to 8; from this symbols this expression must be correct:

DEADBEEFFACECAFE &gt;&gt; (8*i + globalVar[i] + 1) = input[i] + i

for i=0:
K in hex = 4b
</rich_text>
				<rich_text background="#9be84b514b51">0xDEADBEEFFACECAFE &gt;&gt; (8*0 + K + 1) - 1 = input[0]</rich_text>
				<rich_text>

&gt;&gt;&gt; 0xDEADBEEFFACECAFE &gt;&gt; (0x4b + 0x01) -1
0L

</rich_text>
			</node>
		</node>
		<node custom_icon_id="0" foreground="" is_bold="False" name="session-three" prog_lang="custom-colors" readonly="False" tags="" ts_creation="1610862669.94" ts_lastsave="1610862675.02" unique_id="10">
			<rich_text></rich_text>
			<node custom_icon_id="0" foreground="" is_bold="False" name="pointers" prog_lang="custom-colors" readonly="False" tags="" ts_creation="1610862675.02" ts_lastsave="1610866402.31" unique_id="11">
				<rich_text>funks: main, gen_passwd

if ((len &lt; 0x256) &amp;&amp; (len = strlen(input_plus_x10_x18swp), 7 &lt; len))

        004007f1 48 83 f8 07     CMP        len,0x7
        004007f5 77 14           JA         LAB_0040080b

len &gt; 7 =&gt; min len = 8

         counter = 0;
          while( true ) {
            len = strlen(passwd);
            if (len &lt;= (ulong)(long)counter) {
              puts(&quot;Correct! Access granted!\r&quot;);
              free(passwd);
              return 0;
            }
            if (name[counter] != passwd[counter]) break;
            counter = counter + 1;
          }
pwn3@kali:~/hackaday-u/session-three/exercises$ ./pointers 1 abcdefgh abcdefgh
Invalid character in password detected, exiting now!


0x61 0x62 0x63 0x64 0x65 0x66 0x67 0x68 + 0x10
0x61 0x62 0x63 0x64 0x65 0x66 0x67 0x68 + 0x18

</rich_text>
				<node custom_icon_id="0" foreground="" is_bold="False" name="gen_password" prog_lang="custom-colors" readonly="False" tags="" ts_creation="1610866402.31" ts_lastsave="1610866623.38" unique_id="12">
					<rich_text>input = key:
  
  len = strlen(*(char **)(key + 2));
  pss = malloc(len);
  counter = 0;
  while (counter &lt; len) {
    *(counter + pss) = (byte)key[6] ^ (char)*key + *(char *)(counter + (key + 2));
    *(counter + pss)= *(char *)(pss + counter) + -0x13;
    counter = counter + 1;
  }
  *(key + 4) = pss;</rich_text>
				</node>
			</node>
		</node>
	</node>
</cherrytree>
